My question is the following:
When making updates to module files (either through svn update/git pull as shown in the link above, or scp/rsync, or manually updating them in a text editor), is there a way to implement critical-region/mutex style locking on the modules directory such that you can guarantee that the puppet agents won't receive a partial/incomplete configuration while the update/copy is in progress on the puppet master?

nice question .. I've never seen that as an issue before, however one way that I've implemented this is on master to have clients pointing at say production branch - then when releasing a new prod branch we do the pull/checkout -- however within the branch we use a specific tag - we don't change the tag until the main branch has been merged, I believe this would prevent the scenario your discussing?

Comments

Thanks for the reply! It does prevent PART of the scenario - which is the case where you make a mistake or forget to check-in a file, etc - making it such that the clients don't see the updates until the branch has been tagged (and hopefully verified prior to tagging).

Say you tagged your branch, and in order to update to your new tag, 30 files would need to be updated. Say halfway through you update, a client polls the master - you could potentially have a scenario where a module could be built with a mix of updated and out-of-date files.